Secrets on Digital Forensics


On this article I will cover the hot topic of Digital Forensics. The interest is not limited to digital investigators or digital crime, it can be used in the private sector during internal corporate investigations. Digital Forensics can be categorized as computer forensics, mobile forensics, network forensics, forensic data analysis and database forensics.

Digital Forensic consist of three main parts acquisition or (cloning -imaging) of exhibits, analysis, and reporting. Each part has its own tool or dedicated device depending on who is going to make use of the results and the evidence they are looking for.
I have been using some of these tools since 2005 so I will make sure I cover all the important aspects in order to save you time and simplify the process of investigation or even recovering your own lost information.

Sample of a PC that is customized and loaded with most of the tools that I will mention can be seen here.


Forensic tools guide index:



Storage media acquisition:

  • Talon, Dossier, and Forensic Falcon cloning devices from Logicube with capture speed of 20GB/min has wipe feature, captures to DD image files, and provides MD5 and SHA-256 Authentication.
  • TD3 cloning device from Tableau with capture speed of 9GB/min with USB3 and Firewire support.
  • Fred cloning device from Digital Intelligence if you are looking for multi drive acquisition device that allows you to install your own analysis tools and OS. They offer a portable version as well.
  • Winhex is a software tool that allows to produce exact duplicates of disks/drives.
  • FTK imager is a software that allows to mount and create images from different types of drives.
  • Air is a GUI front-end to dd/dc3dd on Linux designed for easily creating forensic images.
  • ImageUSB is a free utility which lets you clone or write an image concurrently to multiple USB Flash Drives.
  • OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.
  • Atola is an acquisition device that can acquire a usable image from damaged media.

If you need write blockers then go for Tableau they have a good range of them.



Storage media analysis and reporting:

  • EnCase from Guidence software is my preference for deep forensic analysis they also have a portable version. You can combine it with IEF (INTERNET EVIDENCE FINDER) for better Internet investigations.
  • FTK Toolkit from Access Data is also a a tool that I recommend to have in your forensic Lab.
  • X-Ways Forensics from X-Ways is a good software product.
  • Santoku is a Linux distribution specializes in Mobile Forensic, Malware, and Security.
  • Masterkey is a Linux distribution specializes in incident response and computer forensics.
  • DEFT is a Live CD built on top of Xubuntu with tools for computer forensics and incident response.
  • CAINE is (Computer Aided Investigative Environment) is an Italian GNU/Linux live distribution based on Ubuntu and created as a project of Digital Forensics and contain many forensics tools.
  • SIF from SANS is free powerful tool based on Ubuntu OS or Vmware image click here for the tool login details.
  • Autopsy is free Open Source, cost effective digital forensics essential tool the interface is simple and easy to use.
  • Forensic Assistant is a russian forensic examination software tool with many features it can find and analyze important forensic information in the programs, logs and files.
  • DFF (Digital Forensics Framework) is a free and Open Source computer forensics software built on top of a dedicated Application Programming Interface (API).
  • ProDiscover from Techpathways is a computer security tool that enables computer professionals to find all the data on a computer disk while protecting evidence and creating evidentiary quality reports for use in legal proceedings.
  • Microsoft COFEE is computer online forensic evidence extractor tool that fits on a USB drive and automates the execution of commands for data extraction and related documentation.
  • Nuix Investigator is engineered to index, triage, identify, analyze and bring to the surface critical evidence across entire data sets, regardless of the geographical location, repository, file type or size.
  • Intella® TEAM from Vound enables multiple individuals to review evidence independently and simultaneously, with one case administrator.



Data recovery:

  • Recover My Files from Get Data has an easy to use interface and will recover files from crushed disk or formatted once.
  • EaSeus Data Recovery from EaSeus will recover files for you it has read only option as well.
  • R-Studio from R-Tools Technology is a multi platform tool to recover deleted files.
  • Restorer Ultimate from BitMart is the tool to use if you are having difficulties with NTFS partitions.
  • Phoenix Windows Data Recovery from Stellar is designed to recover photos, videos, and other multimedia files.
  • PhotoRecovery from LC Technology is designed to recover images, movies and sound files from all types of digital media.



Password recovery:

  • Fred SC from Digital Intelligence is a dedicated super machine to brute force passwords you can combine it with ElcomSoft Distributed Password Recovery Elcom has a range of password recovery products including Truecrypt and PGP disk.
  • Passware Kit Forensic from Passware can recover passwords from different type of files and disks.
  • Hashkil is free open source tool that supports GPU power to recover passwords.
  • Hashcat is Multi OS, and Hash free open source with the ability work in an distributed environment to recover passwords.
  • Truecrack is free open source tool specialized on recovering Truecrypt containers.
  • Dropbox-decryptor from Magnet Forensics is a free tool that will decrypt the Dropbox filecache.dbx file which is an encrypted SQLite database.
  • Cain & Abel from Massimiliano allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary.
  • Access Data PRTK gives you the ability to recover passwords from well-known applications.



Extra utilities:

  • ExifTool is free multi OS that can extract many different meta/exif data formats from more than 300 file types.
  • PhotoME is a powerful tool to show and edit the meta/exif data of image files.
  • Xnview is a powerful image viewer that can also read exif data from image files.
  • RegRipper is an open source tool for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
  • Windows Registry Recovery allows to read files containing Windows registry hives.
  • Crossfield Forensics Apprentice is powerful Forensic, built in Registry Explorer.
  • ForensicUserInfo is a tool that allows you to import registry files and then extracts the user information from the various files and then decrypts the LM/NT hashes from the SAM file.
  • PrefetchForensics is an application to extract information from Windows Prefetch files.
  • USBDeviceForensics is an application to extract numerous bits of information regarding USB devices.
  • Chrome and Fox Analasis is a software tool for extracting, viewing and analysing Internet history from the Chrome and Firefox web browsers.
  • NetAnalysis is a eading software for the extraction and analysis of data from Internet browsers.
  • Dumpzilla is multi OS forensic tool for Firefox web browsers.
  • SQLite Expert is powerful administration tool for your SQLite databases which enables analysis of Skype logs, Firefox logs and other SQlite artifacts.
  • SQLite Recovery display all of sqlite databases alongside each other allowing the investigator to gain an overview of the type and content of all of them on the suspects computer.
  • VLC video player that plays just about every possible video format there is.
  • Notepad++ an extended free version of note pad that allows conversion and viewing of hex, ascii, UTF and many others forms of data.
  • DigitalCorpora provides disk images, memory dumps, and network packet captures to be used for forensics education.
  • OSFMount allows you to mount local disk image files (bit-for-bit copies of a disk partition) in Windows with a drive letter.
  • To wipe data (secure delete selective files) go for Bcwipe (Commercial). A free alternative of it is Eraser.
  • To wipe data (secure delete entire harddisk) go for Dban (Free). A commercial alternative of it is Blancco wiper.



Network forensic:

  • Decision Group has variety of network forensic tools including E-Detective, Wireless-Detective, HTTPS/SSL, VoIP-Detective, and Introduction of Forensics Investigation Toolkit.
  • NetSleuth from netgrab is a free network monitoring and forensics analysis tool.
  • NetDetector from NIKSU offers advanced forensics, providing the deepest extraction of content from network packets.
  • NetworkMiner from NETRESEC multi OS collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network.
  • Helix3 Enterprise from e-Fense was developed by computer forensic experts and its an easy to use cyber security solution integrated into your network giving you visibility across your entire infrastructure revealing malicious activities.
  • CNE Investigator from SpectorSoft automatically records all computer activity, creating a record that can be used as evidence in civil and criminal litigation.



Memory (RAM) forensic:

  • Memoryze from Mandiant is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.
  • Digital DNA from HBGary identifies and analyzes the most advanced malware threats in physical memory, including those used against global organizations for theft of intellectual property, business intelligence, customer records, and classified information.
  • Second Look from Raytheon Pikewerks is memory forensics software providing powerful, easy-to-use memory acquisition and analysis capabilities for Linux systems.
  • WindowsSCOPE provides memory acquisition and access to locked computers (access live memory and encrypted disks without needing password).
  • volafox is Memory Analysis Toolkit’ is developed on python 2.x.
  • Volatility provides extraction of digital artifacts from volatile memory (RAM) samples.


Mobile forensic:

    • UFED Touch Ultimate device from Cellebrite can perform extraction, decoding, analysis and reporting of mobile data. It performs physical, logical, file system and password extraction of all data (even if deleted) from the widest range of devices including legacy and feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets.
    • XRY Complete device from Micro Systemation is complete with all the necessary hardware for recovering data from mobile devices in a forensically secure manner. They also have field version of the product.
    • CellXtract and CellXtract-TNT from Logicube rovides fast and thorough forensic data extraction from mobile devices.
    • Elcomsoft IOS Forensic device from Elcomsoft perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices including passwords, encryption keys, and decrypting the file system image running any version of iOS. They also provide a strong phone password breaker EPPB.
    • secureview3 device from Susteen is mobile forensic kit that provides 3 specific processes for examination: acquire, analyze, and report.
    • Paraben from software, to hardware Paraben covers the complete range of needs of any investigator, whether at the forensic or detective level.
    • FoneLab software tool from Aiseesoft retrieve and export 8 types of data including WhatsApp, IMessages, Notes, contacts and more from iOS devices.
    • MOBILedit Forensic software tool from Compelson extracts all content and generates a forensic report ready for courtroom presentation.
    • Oxygen Forensic software and hardware tool from Oxygen Forensics offers logical analysis of cell phones, smartphones and tablets. Using advanced proprietary protocols.
    • MPE+ software tool from accessdata is a stand-alone mobile forensics software solution that is also available on a preconfigured touch-screen tablet for on-scene mobile forensics triage.
    • SAFT software tool is a free and easy-to-use mobile forensics application developed by SignalSEC security researchers.
    • Lantern software tool is mobile forensics that supports IOS, OSX, and Android.

BlackBerry Backup Extractor

    software tool that can recover any file from a BBDM backup, along with saved games, debug information and data that might otherwise be inaccessible.

Mobile extra utilities:

  • MyPhoneExplorer is software tool from Fjsoft that can extract information from Android and Sony Ericsson phones.
  • MobileGo is software tool from Wondershare that can extract information from Android and Iphone.
  • HiSuite is software tool from Huawei that can manage and extract information from Android phones.
  • I-Funbox is a software tool that can manage files on iPhone/iPad just like Windows Explorer and can be used to extract some information from the device.
  • IPhone Backup Extractor is a software tool that can extract files (contacts, pictures, call histories, MMS, SMS, video, voicemail, calendar entries, notes, app files and saved games) from the backups iTunes automatically makes of your iPhone, iPad or iPod Touch. Another good alternative is iBackupBot.
  • WhatsApp Pocket is software tool from Fireebok that allows you to extract WhatsApp messages from your iPhone to computer.
  • WhatsApp Xtract is a tool from xda-dev that allows you to extract WhatsApp messages from your iPhone to computer.
  • Android Injector is a tool from Harmony Hollow that allows you to install apps (Trojans) on your Android powered phone or device without having to get them through the Google Play Store.



Dig the web:

  • Copernic Agent is software tool from Copernic that can send your queries to several search engines and aggregate the results for you.
  • Dogpile web search engine that can search multiple search engines at once.
  • smart-search-engine web search engine that can search social networks as well.
  • social-searcher web search engine that is specialised in social networks searches.
  • Topsy web search engine that can search social networks and provides social analytics as well.
  • Social Mention web search engine that is specialised in social networks searches with sentiments features.
  • Sysomos Heartbeat is a commercial web application to monitor keywords on social networks.
  • Synthesio is another commercial web application to monitor keywords on social networks.
  • Datasift previously was running TweetMeme is another commercial web application to monitor keywords on social networks.
  • Gnip is another commercial web application to monitor keywords on social networks.
  • Foofind is web search engine that is specialised in files searches.
  • Addictomatic searches the best live sites on the web for the latest news, blog posts, videos and images.
  • Shy Girl from EEDS can be used to extract information based on domain name.

Comments are closed.